Must companies have sophisticated processes in all areas of risk management to realize The COSO Enterprise Risk Management – Integrated Framework 26.. Why was the COSO Enterprise Risk M
Trang 1Guide to Enterprise Risk Management
F R E Q U E N T L Y A S K E D Q U E S T I O N S
Trang 2Frequently Asked Questions
Page No
The Fundamentals
3 How does the scope of ERM compare to existing risk management approaches? 5
6 If companies are not implementing ERM, then what are they doing? 10
8 What are the steps companies can take immediately to implement ERM? 11
10 Why have companies that have tried to implement ERM failed in their efforts? 11
11 Does implementation of ERM ensure the success of a business? 12
15 Is there any way to benchmark the level of investment required to implement ERM? 13
16 Don’t successfully run companies already apply ERM? 14
17 How long has ERM been around and why is there a renewed focus on it? 14
18 What percentage of public companies currently have an ERM process or system? 15
19 Is there an example of effective ERM as it is applied in practice? 16
21 Are there any organizations that need not implement ERM? 16
22 What are the regulatory mandates for implementing ERM? 16
23 Are standards for implementing ERM different for private and public companies? 17
24 Must companies have sophisticated processes in all areas of risk management to realize
The COSO Enterprise Risk Management – Integrated Framework
26 Why was the COSO Enterprise Risk Management – Integrated Framework created? 18
27 What is the COSO Enterprise Risk Management – Integrated Framework? 18
Trang 329 How was the COSO ERM framework developed? 19
31 Are companies required to use the COSO ERM framework? 20
32 Does the COSO Enterprise Risk Management – Integrated Framework replace or supersede
33 How does the COSO Enterprise Risk Management – Integrated Framework compare to the
34 Does the new COSO framework broaden the focus of ERM beyond the traditional risk
management model’s focus on insurable risk? If so, how? 21
35 Are there other standards and frameworks in existence and, if so, what do they promulgate
and how does the COSO Enterprise Risk Management – Integrated Framework relate to them? 21
36 What is the point of view of the Securities and Exchange Commission (SEC) with respect to
37 What are the deliverables when the COSO ERM framework is implemented? 21
38 Can a company “partially” adopt the COSO Enterprise Risk Management – Integrated
The Role of Executive Management
39 Who should participate in the ERM process, and how? 23
40 Must the CEO be fully engaged in the ERM process or system for it to be successful, or can
41 How will senior management benefit from supporting ERM implementation? 24
44 What is the role of the treasury and insurance in an ERM environment? 25
45 Does ERM require reporting to executive management? If so, what types of reports are most
The Role of the Director
47 Why should directors be concerned about whether their companies implement ERM? 26
49 How should the board exercise oversight of ERM implementation? 28
The Role of the Chief Risk Officer
50 Should our organization have a chief risk officer (CRO) and, if so, what is his or her role? 30
Table of Contents (continued)
Page No
Trang 4The Risk Management Oversight Structure
53 What is the primary purpose of the risk management oversight structure? 33
54 How are compensation issues considered when organizing the risk management oversight
55 Is there a recommended organizational oversight structure? 34
56 How does the risk management oversight structure relate to the entity’s existing
57 Does implementation of ERM require the identification of individual risk owners? 40
The Role of Internal Audit
58 What roles does internal audit play in ERM implementation? 40
60 Should internal audit integrate the COSO ERM framework into its work? 42
61 Hasn’t internal audit evaluated the application of ERM within the organization? 42
62 Does the Institute of Internal Auditors (IIA) support the COSO Enterprise Risk Management –
63 Do The IIA standards require the use of the COSO Enterprise Risk Management – Integrated
Framework? For example, what is the relationship of ERM to IIA Standard 2010.A1
(which requires internal audit to undertake an annual risk assessment) and 2110.A2
(which requires a broad risk assessment aligned with the COSO framework)? 42
Risk Management Vision and Objectives
64 How does management develop a shared vision for the role of risk management in the
organization? What is the practical use of a shared vision? 43
65 How does management define the entity’s risk management goals and objectives? 44
66 What is “risk appetite” and how is it different from “risk thresholds,” “tolerances” or “limits?” 46
67 Is there a defined methodology for calibrating performance with risk tolerances? 47
68 How are the risk management vision and objectives translated into the appropriate
Conducting Risk Assessments
69 What is the relationship between risk assessment and risk management? 51
70 What is the relationship between risk assessment and performance assessment? 51
71 What are the components of an effective objective statement and why are objectives
72 What is the difference between an event and a risk? 52
73 Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as
74 How do we articulate the concept of inherent risk so that it can be effectively used as risk
Trang 575 Is there an officially endorsed risk language we can use for our organization? 53
76 To what extent does the organization strictly define risk for the enterprise as a whole, when
the organization has a variety of different businesses? 55
77 What are risk maps and how are they used appropriately during the risk assessment process? 55
78 What’s an effective way for an organization to conduct a risk assessment? 56
79 What are the common mistakes and pitfalls during the risk assessment process? 58
80 How do we identify, understand and apply interrelationships among risks? 60
81 What is the appropriate level of depth when assessing risk? 61
82 Who should participate during the risk assessment process? 61
83 How is risk assessment related to risk quantification and should risk quantification be used
84 Is there value in using qualitative information when assessing risk? 61
Getting Started – Set the Foundation
85 What are the best steps to take when getting started? 62
87 Are there specific things an organization should accomplish the first year? 64
88 Who is responsible for “leading the charge” to implement ERM? 64
91 How do we obtain buy-in among our operating managers? 65
92 Can we leverage existing infrastructure so that we don’t create more overhead? 67
94 Do we need to put a name on an ERM initiative, i.e., isn’t ERM just good business practice
95 Do companies typically add full-time personnel to successfully develop and roll out an ERM
process and system, or do they ordinarily use existing personnel who devote their efforts to
96 What steps does management take to set the foundation? 68
97 How does management decide on the appropriate foundation capabilities? 69
99 Are there examples of a process classification scheme? 69
100 How is dialogue about risk and its root causes, drivers and sources improved? 69
101 How is knowledge sharing about risk management improved? 70
102 What does it mean to increase an organization’s awareness of or sensitivity to risk? 71
Table of Contents (continued)
Page No
Trang 6Taking a Process View – Building Capabilities
103 What steps does management take to build risk management capabilities? 72
104 How does management decide on the appropriate risk management capabilities? 74
105 How does management improve the organization’s risk assessments? 74
106 How are objective-setting, event identification and risk assessment related? 74
107 How important is risk assessment to the ERM effort? 74
108 What alternative responses are available to manage risk? 74
109 What factors must management consider when evaluating alternative risk responses? 78
110 What are the elements of risk management infrastructure, why are they important and how
111 Is there a model to help us set our priorities when implementing ERM and monitor our
progress as we improve our risk management capabilities? 83
112 What are alternative techniques for measuring risk and when are they deployed? 92
114 What risk management software products are currently available to assist companies with
115 Has the ERM software market reached maturity such that there are established solutions
116 What criteria should we use to evaluate the software alternatives? Are there different
117 Is specialized ERM software preferable to broader platforms for compliance, governance and
118 How does software functionality support the goals of ERM? 99
119 What are the primary categories and characteristics of successful ERM software vendors? 100
120 Is it better to design an ERM process first and then select the appropriate ERM software,
121 What is dashboard or scorecard reporting and how is it used in an ERM environment? 101
122 For financial services companies, is economic capital measurement a prerequisite for
123 How is continuous improvement applied to risk management? 104
124 What are the synergies and differences between ERM and “quality initiatives”
Taking it to the Next Level – Enhancing Capabilities
125 What steps does management take to enhance risk management capabilities? 107
126 How does management decide on the appropriate enhancement capabilities? 108
127 What is a “portfolio view” of risks and how is it practically applied? 108
128 How does management quantify risks enterprisewide? 109
Trang 7129 How does management use ERM to improve business performance? 112
130 How should we integrate our ERM approach with our strategic planning process? 115
131 Should we complete our strategic planning process prior to conducting our first enterprisewide
132 Is it possible to successfully merge together the risk assessments that companies perform as a
result of ERM, Sarbanes-Oxley compliance, business continuity planning, internal audit and
various compliance activities related to workplace, environmental and other regulations? 116
133 How does management use ERM to establish a sustainable competitive advantage? 116
Building a Compelling Business Case
134 How do we build a compelling business case for ERM? 118
135 How do we select the appropriate capabilities for our ERM solution? 119
136 What are the key success factors or measures of success when evaluating the effectiveness and
impact of ERM implementation, i.e., how can we know whether an ERM approach has been
Making it Happen
137 What is journey management and why is it relevant to ERM implementation? 123
138 What is program management and why is it relevant to ERM implementation? 125
139 How can we quantitatively and qualitatively evaluate the benefits of implementing ERM in
142 Given that we have so many other things going on, how can we take on something like ERM
143 What standards should companies use to evaluate their ERM approach? 128
144 Are there any pitfalls to avoid when implementing an ERM approach? 128
Relevance to Sarbanes-Oxley Compliance
145 Does the Sarbanes-Oxley Act of 2002 (SOA) require companies to adopt ERM? Are there any
146 Can ERM assist certifying officers with the discharge of their SOA Section 302 certification
148 Should a decision to implement ERM consider the effort to comply with SOA? 130
149 Should management broaden the focus on compliance to managing business risk? 131
150 As a public company, why would we want to take on ERM on the heels of Section 404
151 How does self-assessment build on Section 404 compliance? Why does self-assessment
Table of Contents (continued)
Page No
Trang 8152 What does it mean to integrate compliance with Sections 404 and 302? How does such
integration build on an established self-assessment process and on Section 404 compliance?
Why does such integration contribute to a company’s evolution to ERM? 134
153 How does compliance with other applicable laws and regulations build on compliance with
Sections 404 and 302? Why does such compliance contribute to the evolution to ERM? 137
154 How does operational effectiveness and efficiency build on compliance initiatives? Why does
operational effectiveness and efficiency contribute to the evolution to ERM? 137
Other Questions
155 Will implementation of the COSO Enterprise Risk Management – Integrated Framework
156 Have any of the companies that have publicly disclosed their ERM processes received any
157 Have analysts and others within the investment community or rating agencies expressed their
views on how an effectively functioning ERM approach would impact their views of a company? 139
158 Can all of the information about risk and risk management be classified as attorney-client
privileged information, and therefore not be discoverable? 139
159 Since all of this information is presumed to be discoverable, does ERM create more litigation
160 Are there any court cases in which a company’s management or its board was viewed as
deficient because they did not have an adequate risk management system in place? 140
161 Are there risks associated with not having an ERM process in place and, if so, what are they? 140
162 Is it possible to link an ERM system to an employee’s performance and compensation? Are
163 Does a third-party certification, rating or other assessment mechanism exist for ERM? 140
164 How does ERM relate to the Basel Capital Accord requiring financial institutions to report on
165 What is the difference between ERM and an international standard such as ISO? 141
166 How does the COSO Enterprise Risk Management – Integrated Framework integrate with
such frameworks as COBIT, ISO 17799, BITS, NIST Special Publication 800-53 and ITIL? 141
167 What is happening in other countries with respect to risk management? Are these
developments positively impacting company performance and corporate governance? 141
168 Is there a format for communicating our risk management process to our customers in order
Trang 9Introduction
In today’s challenging global economy, business opportunities and risks are constantly changing There is a need for identifying, assessing, managing and monitoring the organization’s business opportunities and risks The question is: How does an organization take practical steps to link opportunities and risks when
managing the business? And further: What does this have to do with risk management?
In August 2004, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) issued its Enterprise Risk Management – Integrated Framework after completing a developmental project spanning a three-year period The framework, which includes an executive summary and application techniques, expands
on the previously issued Internal Control – Integrated Framework to provide a more robust and extensive focus on enterprise risk management (ERM) As explained in the foreword to the framework: “While [the framework] is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.”
At Protiviti, we believe that ERM implementation should be integrated with strategy-setting ERM redefines the value proposition of risk management by elevating its focus from the tactical to the strategic ERM is about designing and implementing capabilities for managing the risks that matter The greater the gaps in the current state and the desired future state of the organization’s risk management capabilities, the greater the need for ERM infrastructure to facilitate the advancement of risk management capabilities over time COSO’s new framework provides criteria against which companies can benchmark their risk management practices and processes The framework provides a common language that fosters communication among executives, directors, auditors and advisors, and we encourage everyone with an interest in implementing ERM to read and understand it
Many are asking questions about the value proposition of ERM and practical steps on how to implement it While we do not have all the answers, we attempt to address in this publication some of the most commonly asked questions with respect to ERM This publication is designed to answer your questions without making you wade through material with which you are already familiar It often refers to the COSO framework,
which readers can obtain at www.coso.org It offers ideas, suggestions and insights to executives responsible
for ERM implementation It is intended for use as a reference tool rather than as a book to be read from
cover to cover It is supplemented by Issue 6 of Volume 2 of The Bulletin, “Enterprise Risk Management:
Practical Implementation Advice,” which provides an overview for C-level executives and directors and is
available at www.protiviti.com.
As companies gain more experience with implementing ERM, we expect to update this publication from time
to time If we do so, we will post information at www.protiviti.com Protiviti periodically publishes ERM
performer profiles on KnowledgeLeaderSMto provide ERM case examples and plans to publish a book
including such profiles from time to time
This publication is neither intended to be a legal analysis nor a detailed “cookbook” of steps to take in every situation Accordingly, companies should seek out appropriate advisors for counsel on specific questions as they evaluate their unique circumstances
Protiviti Inc
January 2006